# CVE-2021-38648 Microsoft OMI Management Interface Authentication Bypass
This is an LPE exploit for CVE-2021-38648

## Usage

```
usage: cve_2021_38648.py [-h] [-s SOCKET_PATH] [--timeout TIMEOUT] command

positional arguments:
  command               the command to run

optional arguments:
  -h, --help            show this help message and exit
  -s SOCKET_PATH, --socket SOCKET_PATH
                        socket file
  --timeout TIMEOUT     response timeout
```

The exploit will exit with a status of 0 on success. The command is limited to 256 characters in length due to the
hardcoded messages that are exchanged. To increase this, generate a new series of messages using the `strace` command
below, search for the second `writev` syscall and extract each `iovec` instance. There should be six in total, and the
first 4 bytes of each should be consistent.

The hardcoded messages were recovered using:
```
strace -v -s 5000 -f -xx -e trace=socket,connect,write,writev,close \
  /opt/omi/bin/omicli iv root/scx { SCX_OperatingSystem } ExecuteShellCommand { command '...' timeout 0 }
```

It is important that the exploit wait on the socket for a response to be received. It doesn't need to be read, but the
socket needs to be kept open until either the server closes it or the response is received.
